OXD server seems not able to access a remote RP test server via a domain alias (rp_test) during the dynamic client registration phase

OXD server seems not able to access a remote RP test server via a domain alias (rp_test) during the dynamic client registration phase

By: Vagelis Nikolaou
staff02 Feb 2018 at 10:19 a.m. CST

1 Response

Here is the current status:
**A.** I have an OIDC RP test server (actually an OP that validates RP clients) accessible at: https://rp_test:8080/gluu/rp-response_type-code/.well-known/openid-configuration
This URL is where the RP test server listens to. I have deployed it into a Centos7 machine with docker-compose as described in IODC site.
I have confirmed that hitting this URL via a browser from another machine with Win10 (and after editing the /hosts file for the rp_test alias) brings a valid response (actually the OP's configuration json).
**B.** I started the oxd server with the following configuration:
{
"server_name":"localhost",
"port":8099,
"localhost_only":true,
"time_out_in_seconds":0,
"use_client_authentication_for_pat":true,
"trust_all_certs":true,
"trust_store_path":"",
"trust_store_password":"",
"license_id":"....",
"public_key":"....",
"public_password":"....",
"license_password":"....",
"support-google-logout":false,
"state_expiration_in_minutes":5,
"nonce_expiration_in_minutes":5,
"public_op_key_cache_expiration_in_minutes":60,
"protect_commands_with_access_token":false,
"uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client":true,
"migration_source_folder_path":"",
"storage":"h2",
"storage_configuration": {
"dbFileLocation":"C:/Projects/Gluu/oxd-server/bin/oxd_db"
}
}
**C.** The goal is to create a spring application in another machine that uses an org.xdi.oxd.client.CommandClient object in order to register itself in the RP test server (at https://rp_test:8080).
Therefore i cloned the demo spring app for OXD server, and i adjusted some code in order to achieve the registration. The registration needs a call like this:
final RegisterSiteParams commandParams = new RegisterSiteParams();
commandParams.setOpHost(opHost);
commandParams.setAuthorizationRedirectUri(redirectUrl);
commandParams.setPostLogoutRedirectUri(postLogoutRedirectUrl);
Now, after a few attempts i see that the org.xdi.oxd.client.CommandClient object cannot accept a remote domain name into the setOpHost(). So i cannot use a value of https://rp_test:8080/gluu/rp-response_type-code into the opHost variable.
If i do this the OXD server raises an exception like:
org.apache.http.conn.HttpHostConnectException: Connection to https://rp_test:8080 refused
Only a local IP (eg 127.0.0.1:8009) is accepted. I used a local IP and the WebScarab as proxy in order to forward my request to the RP test server manually. This deployment works and i can see the configuration coming from the RP test server.
Such a configuration is like:
"id_token_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"],
"end_session_endpoint": "https://rp_test:8080/gluu/rp-response_type-code/end_session",
"token_endpoint_auth_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"],
"request_object_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"],
"request_object_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"],
"userinfo_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"],
"scopes_supported": ["openid", "profile", "phone", "email", "offline_access", "address", "openid"],
"userinfo_endpoint": "https://rp_test:8080/gluu/rp-response_type-code/userinfo",
"userinfo_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"],
"response_types_supported": ["code"],
"id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"],
"claims_parameter_supported": true,
"claim_types_supported": ["normal", "aggregated", "distributed"],
"issuer": "https://rp_test:8080/gluu/rp-response_type-code",
"jwks_uri": "https://rp_test:8080/static/jwks_rMMG29fs2mknbTHA.json",
"claims_supported": ["middle_name", "phone_number_verified", "updated_at", "phone_number", "profile", "website", "name", "gender", "birthdate", "locale", "address", "zoneinfo", "given_name", "nickname", "preferred_username", "email_verified", "family_name", "sub", "email", "picture"],
"request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"],
"token_endpoint": "https://rp_test:8080/gluu/rp-response_type-code/token",
"request_uri_parameter_supported": true,
"grant_types_supported": ["authorization_code",
"implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token"],
"acr_values_supported": ["PASSWORD"],
"version": "3.0",
"id_token_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"],
"registration_endpoint": "https://rp_test:8080/gluu/rp-response_type-code/registration",
"request_parameter_supported": true,
"response_modes_supported": ["query", "fragment", "form_post"],
"authorization_endpoint": "https://rp_test:8080/gluu/rp-response_type-code/authorization"}
However i am getting also a different exception like:
2018-02-02 01:03:55,466 TRACE [org.xdi.oxd.server.service.DiscoveryService] Discovery response: {[here a valid config json]}
2018-02-02 01:03:55,474 TRACE [org.xdi.oxd.server.service.HttpService] Created TRUST_ALL client.
2018-02-02 01:03:55,505 ERROR [org.xdi.oxauth.client.RegisterClient] Host name may not be null
java.lang.IllegalArgumentException: Host name may not be null
at org.apache.http.util.Args.containsNoBlanks(Args.java:81)
at org.apache.http.HttpHost.<init>(HttpHost.java:81)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:501)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:195)
at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:439)
at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:686)
at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:570)
at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:575)
at org.xdi.oxauth.client.RegisterClient._exec(RegisterClient.java:234)
at org.xdi.oxauth.client.RegisterClient.exec(RegisterClient.java:77)
at org.xdi.oxd.server.op.RegisterSiteOperation.registerClient(RegisterSiteOperation.java:257)
at org.xdi.oxd.server.op.RegisterSiteOperation.persistRp(RegisterSiteOperation.java:226)
at org.xdi.oxd.server.op.RegisterSiteOperation.execute_(RegisterSiteOperation.java:64)
at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:97)
at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:43)
at org.xdi.oxd.server.Processor.process(Processor.java:76)
at org.xdi.oxd.server.Processor.process(Processor.java:51)
at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:55)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2018-02-02 01:03:55,510 ERROR [org.xdi.oxd.server.op.RegisterSiteOperation] RegisterClient response is null.
2018-02-02 01:03:55,510 ERROR [org.xdi.oxd.server.op.RegisterSiteOperation]
java.lang.NullPointerException
at org.xdi.oxd.server.op.RegisterSiteOperation.registerClient(RegisterSiteOperation.java:268)
at org.xdi.oxd.server.op.RegisterSiteOperation.persistRp(RegisterSiteOperation.java:226)
at org.xdi.oxd.server.op.RegisterSiteOperation.execute_(RegisterSiteOperation.java:64)
at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:97)
at org.xdi.oxd.server.op.RegisterSiteOperation.execute(RegisterSiteOperation.java:43)```
I assume that the last exception raises because the configuration json returns endpoints in the form of https://rp_test:8080/... which as mentioned are not accessible (remember in this case i used the web scarab as proxy in order to forward the request to the rp_test)
**D. UPDATE ** :
My initial configuration for oxd server was having in previous sections the property: "localhost_only":true
I tried to set it to false, and i retried twice, first with the rp_test (alias and being set in my hosts file) and with the IP of the host directly.
ONLY the IP case managed to fetch the discovery information. The domain name alias still fails.
**CONCLUSION**:
Seems that with the current configuration, the OXD server is unable to resolve the DNS rp_test alias name in local machine and consequently cannot access the real RP test server in the other machine (again from browser the domain name rp_test is accesible).
The localhost_only configuration parameter as it seems can help a little since it allows to access the RP test server by machine's IP (but as whole still fails because the RP test server assumes a domain name as rp_test and not just an IP).
So i think that first we need to confirm that oxd server has the correct configuration (because it may be not sufficient) and if the problem persists to check why it can't resolve a domain alias (rp_test) even if it is set locally and correctly into /hosts file.